From 15ef27fe0f97b2338a853822a6d7f310d166372d Mon Sep 17 00:00:00 2001
From: Robert Raposa <rraposa@edx.org>
Date: Tue, 15 Mar 2016 12:44:57 -0400
Subject: [PATCH 1/3] Escape full name

TNL-3849/SEC-69
---
 lms/templates/verify_student/pay_and_verify.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lms/templates/verify_student/pay_and_verify.html b/lms/templates/verify_student/pay_and_verify.html
index 0f862a682f..4b3a99e609 100644
--- a/lms/templates/verify_student/pay_and_verify.html
+++ b/lms/templates/verify_student/pay_and_verify.html
@@ -58,7 +58,7 @@ from lms.djangoapps.verify_student.views import PayAndVerifyView
     <div
       id="pay-and-verify-container"
       class="pay-and-verify"
-      data-full-name='${user_full_name}'
+      data-full-name='${user_full_name | h}'
       data-platform-name='${platform_name}'
       data-course-key='${course_key}'
       data-course-name='${course.display_name|h}'

From 0a8f6fa3fe0bbfdf84ce39404a4a3b288f01bec8 Mon Sep 17 00:00:00 2001
From: Robert Raposa <rraposa@edx.org>
Date: Tue, 15 Mar 2016 09:32:10 -0400
Subject: [PATCH 2/3] Properly escape the name

---
 lms/templates/instructor/instructor_dashboard_2/metrics.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lms/templates/instructor/instructor_dashboard_2/metrics.html b/lms/templates/instructor/instructor_dashboard_2/metrics.html
index 7aae9338ae..5eee8e05e1 100644
--- a/lms/templates/instructor/instructor_dashboard_2/metrics.html
+++ b/lms/templates/instructor/instructor_dashboard_2/metrics.html
@@ -91,7 +91,7 @@ from django.template.defaultfilters import escapejs
             $('.metrics-overlay-content thead', metrics_overlay).append(overlay_content);
 
             $.each(response.results, function(index, value ){
-              overlay_content = '<tr><td>' + value['name'] + "</td><td>" + value['username'] + '</td></tr>';
+              overlay_content = '<tr><td>' + _.escape(value['name']) + "</td><td>" + _.escape(value['username']) + '</td></tr>';
               $('.metrics-overlay-content tbody', metrics_overlay).append(overlay_content);
             });
             // If student list too long, append message to screen.
@@ -131,7 +131,7 @@ from django.template.defaultfilters import escapejs
             $('.metrics-overlay-content thead', metrics_overlay).append(overlay_content);
 
             $.each(response.results, function(index, value ){
-              overlay_content = '<tr><td>' + value['name'] + "</td><td>" + value['username'] + "</td><td>" + value['grade'] + "</td><td>" + value['percent'] + '</td></tr>';
+              overlay_content = '<tr><td>' + _.escape(value['name']) + "</td><td>" + _.escape(value['username']) + "</td><td>" + _.escape(value['grade']) + "</td><td>" + _.escape(value['percent']) + '</td></tr>';
               $('.metrics-overlay-content tbody', metrics_overlay).append(overlay_content);
             });
             // If student list too long, append message to screen.

From 90a72ddba690c99f10d0e044cc30bf0637d1292d Mon Sep 17 00:00:00 2001
From: Ayub-khan <Ayub.khan@arbisoft.com>
Date: Wed, 16 Mar 2016 18:57:45 +0500
Subject: [PATCH 3/3] Properly escaping fullname

To prevent XSS attacks, we now properly escape any string containing
the user's fullname. Enumerated by searching webview.py for "fullname",
and "git grep"-ing any occurrences. This also exposed some unused strings,
which I deleted for clarity.
---
 lms/templates/certificates/_accomplishment-banner.html    | 2 +-
 lms/templates/certificates/_accomplishment-rendering.html | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/lms/templates/certificates/_accomplishment-banner.html b/lms/templates/certificates/_accomplishment-banner.html
index 2ca86733c3..eba7ee8d9c 100644
--- a/lms/templates/certificates/_accomplishment-banner.html
+++ b/lms/templates/certificates/_accomplishment-banner.html
@@ -40,7 +40,7 @@ from django.template.defaultfilters import escapejs
 <div class="wrapper-banner wrapper-banner-user">
     <section class="banner banner-user">
         <div class="message message-block message-notice">
-            <h2 class="message-title hd-5 emphasized">${accomplishment_banner_opening}</h2>
+            <h2 class="message-title hd-5 emphasized">${accomplishment_banner_opening | h}</h2>
             <div class="wrapper-copy-and-actions">
                 <p class="message-copy copy copy-base emphasized">${accomplishment_banner_congrats}</p>
                 <div class="message-actions">
diff --git a/lms/templates/certificates/_accomplishment-rendering.html b/lms/templates/certificates/_accomplishment-rendering.html
index 2182b2ae90..05c67ea26a 100644
--- a/lms/templates/certificates/_accomplishment-rendering.html
+++ b/lms/templates/certificates/_accomplishment-rendering.html
@@ -24,7 +24,7 @@ course_mode_class = course_mode if course_mode else ''
             <div class="wrapper-statement-and-signatories">
                 <div class="accomplishment-statement">
                     <p class="accomplishment-statement-lead">
-                        <strong class="accomplishment-recipient hd-1 emphasized">${accomplishment_copy_name}</strong>
+                        <strong class="accomplishment-recipient hd-1 emphasized">${accomplishment_copy_name | h}</strong>
                         <span class="accomplishment-summary copy copy-lead">${accomplishment_copy_description_full}</span>
 
                         <span class="accomplishment-course hd-1 emphasized">
@@ -86,7 +86,7 @@ course_mode_class = course_mode if course_mode else ''
 
     <div class="wrapper-accomplishment-metadata">
         <div class="accomplishment-metadata">
-            <h2 class="accomplishment-metadata-title hd-6">${accomplishment_copy_more_about}</h2>
+            <h2 class="accomplishment-metadata-title hd-6">${accomplishment_copy_more_about | h}</h2>
 
             <div class="wrapper-metadata">
                 <dl class="metadata accomplishment-recipient">
@@ -96,7 +96,7 @@ course_mode_class = course_mode if course_mode else ''
                             <img class="src" src="/static/certificates/images/demo-user-profile.png" alt="">
                         </span>
                         <div class="recipient-details">
-                            <h3 class="recipient-name">${accomplishment_copy_name}</h3>
+                            <h3 class="recipient-name">${accomplishment_copy_name | h}</h3>
                             <p class="recipient-username">${accomplishment_copy_username} @ ${platform_name}</p>
                         </div>
                     </dd>